The European Data Protection Board ("EDPB") has recently published a welcome clarification on the issue of consent under Payment Services Directive ((EU) 2015/2366) ("PSD2") and lawful basis for processing "silent party data".
On 5th July, the EDPR issued a response to the European Parliament's request for clarification regarding how banks should interpret (and indeed comply with) such requirements under PSD2, alongside the obligations under the General Data Protection Regulation 2016/679 ("GDPR").
Explicit consent
The EDPB clarified that "explicit consent" under Article 94(2) of PSD2 is an additional requirement of a contractual nature and does not require the same standard of consent under the General Data Protection Regulation ((EU) 2016/679) ("GDPR"). According to the EDPB, recital 87 of PSD2 makes it clear that PSD2 sets out contractual obligations and responsibilities between parties. The EDPB noted that transparency remains an important factor and data subjects must be made fully aware of the purposes for which their personal data will be processed and have to agree explicitly to that processing. Such clauses should be clearly distinguishable from the other matters dealt with in the contract and need to be explicitly accepted by the data subject.
Whilst under GDPR, the lawful basis of processing in this context, would be Article 6(1)(b) "necessary to performance of a contract" rather than "consent".
Silent party data
When a payment service user under the PSD2 ("payer") has given explicit consent (under PSD2) to a payment initiation service provider ("PISP") to process personal data for the transfer of money to a third party ("payee") without there being a contractual relationship between the payee and the PISP, the issue is whether the PISP can also process the personal data of the payee (i.e. the silent party) to make the transfer possible. Such personal data of the payee would include his/her name, bank details, and (in some circumstances) other personal data provided by the payer as part of the requested transaction, such as information entered as a payment reference or the relevant purchase details (e.g. gym membership renewal).
In its response the EDPB determined that, in the context of payment and account services, the lawful basis under GDPR for processing a silent party's personal data by a PISP or an Account Information Service Provider ("AISP") could be the legitimate interest of a controller or a third party to perform the contract with the payer (Article 6 (1)(f)). The EDPB noted that PISPs and AISPs will need to ensure that they continue to observe the other principles under the GDPR, such as purpose limitation, data minimisation and transparency.
The EDPB went on to clarify that relying on legitimate interest would not permit further processing of a silent party's personal data other than for the purpose it was originally collected.
Bite-sized news
UK proposes unprecedented treaty to govern data handling post-EU withdrawal. Data protection is high on the list in the Brexit negotiations and is considered by the Prime Minister as one of the five foundations that should underpin the future trading relationship with the EU. The House of Commons' Report on the progress of the UK's negotiations on EU withdrawal regarding Data (26 June 2018) makes it clear that the flow of personal data between the EU and the UK remains an open point of discussion. The UK Government has proposed a two-way international agreement with the EU in order to facilitate data flows between the EU and UK (rather than relying on an adequacy decision). The proposal includes the principle that the ICO should have a continuing role on the European Data Protection Board, as well as providing UK representation under the EU's new One-stop shop (under which the ICO would regulate the GDPR within the UK). The EU's position remains that a decision to leave the Single Market and Customs Union "means leaving the EU Common Supervision and Enforcement Structures", so that the UK would be expected to leave the European Data Protection Board, in the same way as any other EU supervisory authority. Under the EU's position, the UK would need to rely on an adequacy finding, but in any event this would not include the cooperation and joint enforcement of the GDPR by the ICO and EU data protection authorities. The UK has raised concerns that an adequacy decision may introduce risks to trade, public services and citizens' security.
ICO calls for evidence on children's privacy. The ICO launched a call for evidence asking for views on the Age Appropriate Design Code (the "Code") which it is required to produce under the Data Protection Act 2018. The Code will support and supplement the implementation of the GDPR by providing guidance on the design standards the ICO will expect from providers of online Information Society Services if they process personal data and are likely to be accessed by children. Specifically, the Code is intended to further the concept of data protection by design and the ICO will consider privacy and notices, automated processing of children, use of geolocation data as well as the transparency of marketing and product placement. Once finalised, the ICO will be required to take account of any relevant provisions of the Code when considering exercising regulatory functions.
With special thanks to Katherine Velos, Shanice McAnuff and Tom Brookes for their contribution.
